Understanding HTTPS and the green padlock

My Chrome browser has just told me that a website I’m trying to reach is unsafe. What’s going on?

It’s warning you that your connection to the website isn’t encrypted. That means the information that flows between your computer and the site is being sent in clear text.

What does that mean exactly?

When you connect to a website, information sent between the site and your computer is encrypted so that hackers can’t intercept the data as it’s being sent.

Until recently a lot of websites made sure that they encrypted sensitive data, such as passwords and credit card numbers, that you sent, but didn’t bother to encrypt other pages, such as the home page or product pages. It’s increasingly the view of experts that all the pages on a website should be encrypted. Google is leading the way on encouraging websites to make sure this is the case.

If you want to carry on to the website, click on Advanced at the bottom of the page. You’ll be shown another warning, and given the choice to go “Back to safety” or to “Proceed to (website).”

Why is it insecure if it isn’t encrypted?

Encryption scrambles the data being sent from your computer and is decrypted at the other end by the website. Hackers can set up in, say, a coffee shop and eavesdrop on everyone who is using the Wi-Fi connection. If the data you send isn’t scrambled, they can intercept your passwords, your credit card details and any other sensitive information you’re sending.

As well as eavesdropping to steal information as you send it to the website, hackers can also mount what’s called a “man in the middle” attack. That means they can intercept your connection to a website and redirect you without you knowing to a fake web page.

So if an online store’s home page isn’t encrypted and you click on the link there to log in to your account, the hacker could jump in and send you to a fake site. A common trick is to send you to what looks like an error page that asks you to input your login details to connect – if you see this, don’t log in. There’s a scammer behind that page waiting to scoop up your password.

So what should I look for?

You should see a padlock – some browsers colour it green – in the address bar.

That means that the whole website is encrypted. In other browsers you will also sometimes see a padlock with a warning triangle. This means that some pages on the website aren’t encrypted, though others are. It’s not unsafe to use this website, but be careful about using it if you’re using public Wi-Fi.

Does the green padlock mean the site is genuine?

No, it doesn’t. It only tells you that the connection is encrypted. A green padlock doesn’t mean the shop that owns the site is reputable. Scammers can buy a certificate to get a green padlock for a fake website.